Social security benefits hacked: A cautionary tale

Posted by Guest Blogger on Feb 05, 2018

If you or your clients are at or nearing retirement age, you need to know that hackers are targeting social security accounts. I found out the hard way. My career as a CPA Personal Financial Specialist was devoted to advising individuals and families on their most important financial goals, including tax, retirement, estate, risk management, investment and retirement planning. After decades of helping my clients navigate and manage these important decisions, imagine my surprise when I received a letter in the mail shortly after my 67th birthday congratulating me on initiating my Social Security benefits. The trouble was, although I had entered the glory years of retirement, I had not yet applied for Social Security benefits, opting to wait until age 70 to receive my benefits. Further digging uncovered the unfortunate fact that a thief had received $19,236 of my benefits. I was dumbfounded.

How did this breach occur? And if I was victimized, who else might be at risk? What can you do to prevent this or respond should this happen to you or your clients?

Who is at risk?

All individuals age 62 to 70 who have not yet applied for benefits are at risk, particularly if their personal information was exposed in the Equifax breach. For beneficiaries over age 66.5, the risk is even greater. In my case, a fraudulent application was made one month after I turned 67. The timing is not coincidental – in fact it reveals that the thief was sophisticated enough to understand the Social Security system. Individuals who have reached full retirement age and have not applied for benefits can receive a retroactive payment from Social Security of up to six months of benefits. So, beginning at age 66.5 (for people born between 1943 and 1954), thieves can access the maximum amount of back benefits.

How did this happen?

While I’m not entirely sure how the thief obtained my personal information, it’s likely that the Equifax data breach, which exposed the vital personal identification data of as many as 143 million consumers, contributed to the identity theft. According to the Equifax website, my personal information was potentially exposed as a result of the breach.

Prior to the Equifax breach, I had frozen my credit with all three credit bureaus, effectively denying any attempts to obtain credit in my or my wife’s names. Despite the freeze, the thief was able to have my benefits direct deposited into an account opened with a bank that proudly advertises at major retailers that they do not perform credit checks prior to issuing prepaid Visa debit cards. If these stores had done a credit check, in my case, they would have found that I had freezes on all three bureaus and would have then rejected the false application they had blindly accepted with my stolen information.

But Equifax, the bank, and the retailers who market and sell these cards are not the only players involved. There is a flaw in the controls on the Social Security website that, unfortunately, does little to protect the beneficiary.

Beneficiaries who set up a my Social Security account can view their Social Security Statement, update their address and phone number, start or change direct deposit of their benefit payment, and view benefits online. This secure website sends an email or text message with a secure access code to the contact information on file on the website before login can be completed.

However, there is a separate, unsecure website that is not located within the secure my Social Security account, which was the door the thief used to perpetrate the fraud. This website, the Social Security Retirement/Medicare Benefit application, can be used to apply for benefits online.

On the unsecure website, the thief changed one digit of my phone number, entered a fake email address, set up direct deposit information for the bank prepaid card that had been fraudulently opened, and applied for benefits. Although the personal information entered by the thief did not match the information I had previously entered on the secure website, I received no notification of these changes or the fact that a benefit application had been made.

If there is a silver lining, it is that addresses cannot be changed on the unsecure benefit application website, so I received a letter in the mail congratulating me for initiating my benefits. Unfortunately, six months of back benefits and a current month of benefits, totaling over $19,000, had been dispersed to the fraudulent bank card account prior to when the Social Security Administration (SSA) mailed the letter and 11 days before I received it.

What Next?

Whether or not you are a victim of this crime, taking precautionary security measures to protect yourself from a diversion of benefits is critical. The SSA provides recommendations on how to secure your information online. Unfortunately, because of the notification breakdown and unsecure nature of the benefit application website, taking these steps does not ensure that you will not be victimized. At a minimum, I would recommend that you a create a my Social Security account and log in at least annually (more frequently if over age 62) to verify your personal information and benefit status.

If you discover that you or one of your clients has been the victim of a Social Security breach or theft, make an appointment (if you can) or wait in line at your local SSA office immediately. You will be interviewed and required to provide a written statement certifying the circumstances of the fraud. The agent will freeze further payments on your account. Maintain digital and hard copies of everything that you receive. Furthermore, I was advised to file a police report with a case number, which I have maintained in my files. Finally, I had electronic access to my account blocked.

I just received Form SSA-1099 for the $19,236 that was disbursed out of my account. I will now have to battle with both the IRS and the Social Security Administration, and eventually Medicare as this additional income would tip me over the threshold for means testing on my Parts B and D premiums.

I urge you to alert your clients of this and other cybersecurity risks. The AICPA Tax Section has a toolkit relating to tax identity theft, including a client identity theft checklist with action steps for recovery that is open to all AICPA members. Consumers can also benefit from materials on the AICPA’s 360 Degrees of Financial Literacy website relating to identity theft. In addition to the SSA recommendations, Broadridge Advisor (which offers free access to AICPA PFP/PFS members) has a customizable client article on “How to Protect Yourself Against Identity Theft” as well as materials related to the Equifax breach.

James A. Shambo, CPA (retired) is president of Lifetime Planning Concepts, Inc., which is located in Colorado Springs, CO. James served in many capacities in the profession, including as a member and chairman of the AICPA Personal Financial Planning Executive Committee, member of the Colorado Specialization Oversight Board, and on several PFS related committees. He has been a regular speaker at national and state PFP conferences, and is the author of The CPA’s Guide to Practical Retirement Planning. He recently developed a tool, the Retiree’s Cost of Care Barometer which is available on aicpa.org. He is the recipient of the AICPA PFP Distinguished Service Award as well and Stanley H. Breitbard Lifetime Achievement Award.